Securing And Managing Administrative Access

We can help your organisation to centralise the authentication, authorisation and auditing of managed devices. This article describes how we can help you to achieve this. Further information regarding our products can be found on this website or by contacting us.

Access Control For Device Management

The basic requirements of securing administrative access to managed devices in any type of a network are to satisfy an organisation’s needs for authentication, authorisation, and auditing. The larger the number of managed devices in a network and the more system administration users, the more complex satisfying and managing these needs becomes. If there is no centralised control then policies for system administration, user management, device password management, and methods for retrieving and correlating audit information are distributed into each device to be managed. Centralising control over authentication, authorisation, and auditing of system administration users reduces overall network management costs, simplifies the operations team’s processes, and eases the efforts to adhere to security requirements.

The TACACS standard defines the basics of an access control server mechanism along with device password management. However, there is a need for more robust solutions that include:

Being able to access any manageable device from any vendor.

An easy-to-use, browser-based interface.

Ability to proxy many protocols to achieve the most robust auditing.

Support for in-band and out-of-band access control.

Automating management of device password changes.

Multiple levels of profiles for system administration users.

Connecting to managed devices that are not controlled by a network access server.

Granting periodic access to third parties, such as a vendor's support engineers.

Deploy a platform for new, value-added system administration services.

Software applications within Secure Access include:

Managing secure administration access to remote devices.

Measuring system administration access compliance.

Managing the security credentials of Data Track access mechanisms.

Managing the Quality of Service on the TCP/IP network.

The main hardware component of Secure Access is a network device called a Tracker. It is a versatile, intelligent network application device built upon a secure and robust implementation of Linux. It includes extensible system services that improve the delivery and management of system administration. In addition, the Tracker offers an SDK for development of additional network applications.

Data Track's SAMS Software

SAMS is privileged-access and password-management software that aggregates and streamlines authentication, authorization, and auditing. Once system administration users authenticate via the SAMS web portal, they are given access to permitted devices without having to sign on separately to each system or device. The SAMS server maintains a centralised, comprehensive user activity audit trail.

Sample secure access deployment with SAMS

SAMS enables network operations teams to:

Secure authentication by keeping the process hidden, so that device passwords are unknown to users and are therefore not widely distributed. When a user leaves an organization, their profile can be removed from the SAMS database without needing to change the password on any of the devices they had access to.

Control which managed devices an individual user or groups of users can access, including time-restricted, third-party access.

Automate routine administrative tasks by running scripts at regular intervals to do things like change device passwords, back up device configurations, and synchronize device clocks.

Audit user activity to comply with regulations like HIPAA and Sarbanes-Oxley or NERC CIP, as well as to perform forensic analysis should security be breached.

To use SAMS, system administration users authenticate into the network where SAMS is running, and then further authenticate by logging in to the SAMS system with a user name and password. A user profile is applied, and the authenticated user is offered a list of managed devices they are authorised to access. The user selects a device to access, and then an access method and connection path are invoked, delivering a connection to the targeted device by the appropriate access program.

The user's session is audited by the user ID, connection type, and activity performed, down to the keystrokes typed into the access program. SAMS offers reports based on the log of user activity for problem resolution, forensic investigations, and compliance to standards.

Benefits

The SAMS software offers the following benefits to an operations team:

Improved IT productivity by saving time required to manage system administration access. Third-party experts can easily be given access for specialized support.

Strengthens security by reducing the risk of compromised administration access security because users do not see managed device passwords. Also, device password updates can be done more reliably, more frequently, and under automated control.

Creates a comprehensive audit trail by providing a more detailed record of system administration change activity than any other method.

Since device passwords are stored in a secure database and not shared with each system administration user, passwords are changed in only one place. If a system administration user leaves the operations team, the user login is removed from only one place.

Data Track's Tracker Devices

The Tracker is a versatile, intelligent network application device built upon a secure and robust implementation of Linux for the management of communications networks. It is a reliable device that provides secure access for the administration of multi-vendor infrastructure equipment using TCP/IP or PSTN connections. In addition, a secure application runtime environment allows Tracker products to run custom management applications that deliver value-added administrative services.

Multiple devices to be managed can be connected to a single Tracker, making it a cost-effective platform. Trackers maximise communication-management resources by performing a variety of functions simultaneously. A single Tracker can be used to collect streaming data such as syslog output; provide a secure transparent gateway for remote diagnostics or configuration; record, filter, and report device alarms; and run application-specific software. The Tracker models are the 2720, 2730, 2740, 2750 and 2800.

Tracker's Two-factor Authentication

The Tracker 2720 is a device that acts as a secure, out-bound modem. It is programmed with a 128-bit secret and a unique 10-digit identifier. The Tracker 2720 cannot answer incoming calls; it can only dial out. When used to call a standard modem, it will operate as a standard modem itself. When used to call a Tracker 2730, 2740, or 2750 system with the equivalent security mechanism enabled, it will use an encrypted response mechanism to respond to a challenge generated by the remote Tracker device.

Tracker systems are programmed with a single secret. Within a secure challenge/response session, both Tracker systems must have identical secrets in order to authenticate with each other. The mechanism employs the AES algorithm for the authentication process.

Unique Identifier

A unique 10-digit number identifies every Tracker 2720; it cannot be changed. The identifier is patterned as follows:

Digits 1 - 4 are a group identifier

Digits 5 - 10 are the device identifier within that group

The use of a group identifier eliminates the complexity of managing multiple secrets, enhances the access control ability of the system, and allows for support of a greater number of separate systems within an organisation.

Access Control

After the AES authentication process takes place, the Tracker 2730, 2740, or 2750 systems will continue the authentication process via access control lists containing unique identifiers of Tracker 2720s. There is an access control list for "standard" access on all Tracker systems, and another for "master" access on the Tracker 2730 only.

A Tracker 2720 with an entry in the "standard" access control list of a 2730, 2740 or 2750 system is either allowed or denied access directly to a port in the remote Tracker system. If it has an entry in the "master" list, it is either allowed or denied for administrative access to a Tracker 2730 system itself.

Authentication Session

Tracker 2720 calls Tracker 2730, 2740, or 2750.

Called Tracker system, acting as a lock, raises encrypted challenge.

Tracker 2720 formulates and returns an encrypted response.

Response is accepted or denied by called Tracker system.

If accepted; called Tracker system securely requests unique identifier.

Tracker 2720 returns unique identifier.

On receipt, called Tracker system applies access control mechanism.

Tracker Integration Into SAMS

Data Track's Tracker device integrates into SAMS as a remote secure access device servicing out-of-band, in-band, and VPN connections. Using SAMS to gain access to a managed device through a Tracker delivers increased benefits and security because the Tracker's strong authentication protocols and its VPN capabilities can be used by SAMS to create an encrypted authentication, and then an encrypted connection from SAMS through the Tracker to a managed device on a network "behind" the Tracker. Additional Tracker security features such as restricted answering can be employed to further increase security. The complete set of Secure Access applications are available to any site where a Tracker is deployed.

Data Track's TRS Software

TRS software provides centralised registration and management of the security credentials used by the two-factor authentication process within Data Track's Secure Access solution. It is an essential part of managing large deployments of Data Track's secure access devices.

Features

The following are some of the major features of the TRS software:

Creates and manages authentication "secret".

Creates and manages access control lists

Supports all Tracker devices that act as locks or keys

Uses local RS-232 interface of the 2720 and 2730, and the remote modem interface of the 2730 to:

Register the device.

Install the authentication "secret" and access control lists.

Upgrade the device's firmware, when necessary.

Uses a TCP/IP session over the LAN interface or within a PPP session over the modem interface of the 2740 and 2750 to:

Register the device.

Install the authentication "secret" and access control lists.

Tracker devices are registered into the system by TRS engineer users.

Each Tracker can have multiple security profiles associated with it, as created by the TRS admin user.

Summary

Data Track Technology's Secure Access offer increases the security of administrative and support activity within an organisation. Deploying it lowers total system administration costs by speeding response times and delivering complete auditing facilities for forensic and compliance requirements.